This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Wireless Local Area Networks got a significant and remarkable reputation across the computer network market. Still, security and the threat fears related with them prevented some network managers and administrators for not installing wireless LAN, in spite of the various benefits that they offer. They know if they come up with security measures to make the wireless LAN more secure would be a grand benefit and a way of profit for them.
In this chapter, we will present the security issues that are related to the IEEE 802.11. Then, we will discuss the different security mechanisms existing in the market. Also security threats and weaknesses related with the Wireless LAN are explored and numerous countermeasures to fight them are being proposed.
Goals of Wireless LAN Security
The main goal of the wireless LAN is to protect and maintain the user privacy, to make sure that an attacker will not be able to access the network without any authorization and attack them. The following goals should be considered for effectiveness wireless LAN security:
Identify and make sure the identity of the sender and receiver of a message.
Maintain the reliability of data as it is processed, stored or transmitted over a wireless LAN.
Maintain the confidentiality of data as it is processed, stored or transmitted over a wireless LAN.
Maintain the capability to process data, as well as accessibility of data stored on a Wireless LAN and transmit the data in time consuming.
IEEE 802.11 Standards
This section states the security mechanisms available in the IEEE 802.11 standard and their weaknesses. The key management problems of the WEP protocol and its vulnerability are identified and the progresses to solve the security flaws are also stated.
IEEE 802.11 Security Issues
Opposite to a wired Network, a wireless LAN does not have a physical connection (wired connection); it sends data over the air that travel between user devices and base station using radio waves. That means; any wireless LAN station near an access point service area can receive data transmitted from or to the access point. Therefore, if not encrypted the data or packets transmitted can be viewed by attackers within the area. The transmission mode is one of the most targeted Network technologies for attackers (Hackers) in the wireless LAN. Nevertheless, the traditional 802.11 wireless LAN offers some security means to protect the Network. These security means include the use of static wired equivalent privacy (WEP) keys and the use of open or shared-key authentication. Their mixture provides a level of access control and privacy but each one of them can be compromised. The following subsections explain the issues and security challenges being faced by the IEEE 802.11.
The key management is a static WEP key that can be either 40-bits or 128-bits of sizes. The static key has to be the same on every device that are connected to the wireless LAN, while using this method. The negative aspect of using it is that, if the static WEP key has been cracked by an attacker (Hacker), there is no way of knowing that.
Are you sure that the logged in user is really that user? It is a familiar practice for people to use other people's accounts to authenticate themselves to the server. In most wireless LANs, companies or other business areas often create one account, "Wireless User Access," and this account can be used by many different devices. The problem is that an attacker (Hacker) with his wireless device could easily login to this general account and gain access to the Network.
To prevent an attacker from authenticating himself into your wireless LAN, you can set your router to allow only connections from authorized wireless Network cards. Each card has a (MAC) Media Access Control address that individually identifies it. You can manage your router only to authenticate those Network cards that are pre-authenticated to log onto your Network. This protects you from other users who are trying to get access to your system by roaming around your building looking for good signal to log onto your wireless LAN.
The IEEE 802.11 maintains two kinds of user authentication methods: the shared-key authentication method and the open authentication method.
Shared-key authentication method: while using this method, the access point sends a challenge text packet to the user station and the user has to know the text and encrypt it with the right WEP key and resend it to the access point. If the user does not know the key nor has a wrong key, he will not be able to authenticate himself to the system. This method is not really secure because an attacker (Hacker) can easily detect both the text challenge and the WEP key and uses them to access the wireless LAN.
Open authentication method: It is the default authentication method. While using, it does not require any authentication at all and any user can access the wireless LAN at anytime. With open authentication method, the WEP protocol prevents the user from receiving and sending data from the access point, except if he has the correct WEP key.
Wired Equivalent Privacy (WEP) protocol is the first security mechanisms proposed by the manufacturers. For encrypting wireless LAN traffic the WEP is included as part of the 802.11 standard. It can also be used at 40-bit or 128-bit depending on the wireless LAN administrator. WEP requires that all the connecting devices to share the same key.
The symmetric stream cipher RC4 algorithm is used by WEP Protocol to encrypt all Network traffic. Also it uses the same key for encryption and decryption processes. Figure 3.1 demonstrates the functioning of the encryption method of the WEP Protocol.
Figure 3.1: WEP Encryption
Figure 3.1, The Wired Equivalent Privacy Protocol uses two processes to encrypt the plaintext data. The first process encrypts the plaintext and the other process protects it against any unauthorized modifications. Then, a 40-bits secret key is combined with a 24-bits Initialization Vector (IV) resulting in a 64-bits total key size that is placed into the Pseudorandom Number Generator (PRNG). The PRNG (RC4) generates a pseudorandom key sequence based on the input key. The result sequence is being used to encrypt the data by doing a bitwise XOR.
Figure 3.2 shows the decryption approach of the Wired Equivalent Privacy Protocol, for the decryption of the incoming message it uses the Initialization Vector (IV) of the incoming message for the generation of the sequence key, which is necessary for decrypting the incoming message.
Figure 3.2: WEP Decryption
From Figure 3.2, the combination of the proper key sequence and the cipher text produces the Integrity Check Value (ICV) and original plain text. Performing the ICV algorithm on the recovered plaintext and comparing the output Integrity Check Value to the transmitted ICV with the message this technique verifies the decryption. If the output Integrity Check Value is different from the transmitted ICV, an error message is received and an error warning will be sent to the MAC management and to the sending station. Any error message from the transmitter caused by failure to decrypt will not be able to authenticate and access the network.
WEP Security Problems
The WEP Protocol offers some security means for the IEEE 802.11. It reduces the effectiveness of the attacks by hackers, but it is defenseless to various cryptographic attacks that expose the shared-key used to encrypt and authenticate data.
Various design flaws have caused the WEP Protocol to be vulnerable. Some of these flaws are:
Short encryption keys.
Lack of key management processes.
Generation of small Initialization Vectors (IV).
There are numerous programs and tools in the wireless market that make penetration the Wireless Network by hackers really easy for them. One of the most popular programs that are presented by WildPackets is Airopeek, it is a program that has the capability to penetrate the WEP key and provide the hacker with plaintext decodes. Another popular program based on Fluhrer, Mantin, and Shamir (FMS) attack is AirSnort which can also help the hacker to penetrate Wireless Networks.
Based on these flaws, it is clear that the security of the WEP Protocol is ineffective. Therefore, new solutions and improvement of this protocol are provided in this research.
More high-level of security mechanisms should be installed, because the security procedures that are provided in the IEEE 802.11 standards are all weak to attacks and these mechanisms are:
Virtual private networks.
To improve the security and authentication mechanisms, the committee of the IEEE 802.11 built a task group called the 802.11i. Their work was; first to improve the Wired Equivalent Privacy (WEP) with the Temporal Key Integrity Protocol (TKIP), Second the replacement of the 802.11 standard with 802.1x authentication and key, last the deployment of Enhanced Security Network (ESN) solution.
WEP Improvement with TKIP
The IEEE 802.11i working group offered a new security standard it is called the Temporal Key Integrity Protocol (TKIP) also named as WEP2. The new security standard is a replacement for the old WEP that had lots of problems. WEP2 fixes the short encryption keys and the small of Initialization Vector (IV) and it also uses the RC4. It generates longer keys to solve the short-key problem of the WEP. For undetected attacks it uses a technique called Message Integrity Code (MIC) to fix the problems. However, it is not accepted by some applications. But it can be used to replace the WEP Protocol.
Replacement of the IEEE 802.11 Standard with the IEEE 802.1x
Developing a framework is one of the alternatives to improve the WLAN security; it provides a dynamic-key distribution and authentication. The 802.1x is an authentication standard for 802-based LANs using port-based network access control. There are three fundamentals of the IEEE 802.1x approach:
Mutual authentication is between user and authentication server (Remote Access Dial-In User Service [RADIUS]).
Encryption keys dynamically derived after authentication.
Centralized policy control.
ESN Solutions Proposed
The ESN solution is focused on stronger encryption for data over wireless networks by using a non-proprietary 128-bit encryption solution, which supports the advanced encryption standard (AES) algorithm. HMAC4-SHA1-128 can be used as the hashing function to support message authentication with AES.
Wireless Security Threats and Attacks
The security solutions decrease the chances or opportunities for an attacker to penetrate the Wireless LAN but still most of them are vulnerable to attacks. The attacks that allow unauthorized users to get access to the system are divided into: active and passive attacks. Figure 3.3 shows several types of attacks and security threats that can be used by an attacker to attack a Wireless LAN.
Figure 3.3: Security Threats and Attacks
This is the type of attack in which the attacker or hacker gains access to a network and make some modifications to the resources or to the messages being transmitted over this network. It is probable to identify this attack but in some cases, it may not be preventable. There are four different types of active attacks, these attacks are defined below:
ï‚·ï€ Masquerading: The hacker (attacker) uses a sniffer to capture user name and password of an authorized user to get access to the network or to gain certain unauthorized privileges. She/he can also place his/her own access point into the network and tricks unwitting users to reveal passwords. ï‚·ï€ Replay: The attacker listens and monitors the traffic between two parties (passive attack) and retransmits the message as one of the valid user.
ï‚·ï€ Message Modification: The attacker changes the contents of a valid message by removing, adding to, changing it.
ï‚·ï€ Denial-of-service: The normal use is prevented by the attacker, also functioning and management of a network by injecting a large amount of traffic into the network. The technical term for it is jamming or flooding the frequency of the network. The legitimate traffic gets jammed because illegitimate traffic overwhelms the frequencies, and legitimate traffic cannot get through.
This is an attack in which an attacker or hacker gets access to a network but does not change or makes any modifications to the resources of the network. There are two types of passive attacks: Eavesdropping and Traffic analysis. These two types of attacks are described below.
ï‚·ï€ Eavesdropping: In this type of attack, the attacker uses several tools to listen or monitor the transmissions for message content.
ï‚·ï€ Traffic Analysis: Hackers monitors the traffic of a network and obtains a lot of information about this network. Once the attacker obtains this information, he/she can analyze them statistically and find himself a way to access the network. She/he can also build an attack dictionary by using the statistics obtained from the monitoring session.
Various security algorithms have been invented and some of them provide good security features against these attacks, especially the Advanced Encryption Standard (AES) Algorithm which took an attacker an infinite number of years by using current computing capability to decrypt it. In fact, several countermeasures need to be taken or applied to protect Wireless LAN against the possible attacks.
Several countermeasures can be used to address or fight specific attacks and threats related to the Wireless LANs. Certain countermeasures involved: the change of SSID, the usage of the MAC authentication security mean and the WEP authentication protocol built in of most of the access point. This section discusses different basic security measures to prevent casual attacks.
0.1Updating Default Passwords
Usually, the access point or wireless devices come with a default password or without any password. Then, it is the responsibility of the administrator of the network to change the default password or to come up with a new password to protect the network against certain threats or attacks.
0.2Changing default SSID
The access point should not use the default SSID provided by the manufacturer because most of them have published on the net and they are well known by the attackers. Then, the default SSID needs to be changed at the first use and configuration of the access point to avoid easy access by unauthorized users. Even though an equipped attacker can capture the SSID over the wireless interface, it has to be changed just to prevent unequipped users or attackers to access the resources of the network.
0.3Enable MAC Authentication
A MAC address is a hardware address that uniquely identifies each computer or attached device on a network. Networks use the MAC address to regulate communications between different computer network interface cards (NICs). The IEEE 802.11 WLAN used the Media Access Control (MAC) address filtering to increase the security of the network. When it is used or enabled as security measure, the users are authorized by their unique device MAC address. In that case, users who want to use the network have to take their wireless card to the network administrator so it can be registered, then they will have access to the network.
This technique increases the security means but it still have some defections because an attacker can easily determine the MAC address authorized by a wireless network via eavesdropping and programs his/her wireless card by using some software to enter the desired MAC address and get access to the network. The MAC authentication method is not completely secure but it is better to enable the MAC authentication method instead of not using any security means.
0.4WEP Authentication and Encryption
The wireless equipments or access point are not shipped out with the WEP security protocol activated. By default, the WEP encryption is disabled. It is the responsibility of the network administrator to activate the WEP protocol and to use the shared authentication method instead of open system as basic protection of the wireless LAN. As mentioned before, the WEP protocol supports two sizes of encryption key: 40 or 128 bits. It is important to use the strongest encryption method (128 bits) available as long as it is not affected the network.
0.5Default Channel Modification
To avoid Denial of Service (DoS) attacks and radio interference between two access points in close proximity, the setting of the default channel must be modified to operate in different frequency band. Once that is being done, it reduces the chances of having interference problem.
0.6DHCP Server Usage
For certain wireless LAN, the connection of a user to the network is being done automatically by using a Dynamic Host Control Protocol (DHCP) server. The DHCP server automatically assigns or provides IP addresses to the users that are associated with an Access Point. The use of a DHCP server provides users the advantages of roaming or establishing ad-hoc networks. The treat with the DHCP server is that a malicious user or an attacker could easily get unauthorized access on the network through the use of a portable computer with a wireless network interface card. Since the DHCP server will not necessary know which wireless devices have access, it will automatically assign the laptop a valid IP address. Then, the attacker has access to the network.
Several solutions can be used to fix the DHCP unsecured problems. Firstly, these problems can be solved by assigning a static IP address to each user of the WLAN instead of using DHCP server. But, this method can be practically used for small networks and it also negates certain advantages of the network such as: roaming and the establishment of ad-hoc networks. Another possible solution is to implement the DHCP server inside of a wired network's firewall that grants access to a wireless network located outside of the wired network's firewall. The last solution is to use access point with integrated firewalls. In fact, a network administrator should evaluate the need for a DHCP server by taking into consideration the size of their network.
Additional Security Extensions
So far, several security mechanisms and methods have been presented but they are all vulnerable to attacks. Thus, additional means and extensions of security are needed. This section presents the strongest security mechanisms for Wireless LANs.
IPSec has a practical application to secure Wireless LANs by overlapping IPSec on top of the clear text of the IEEE 802.11 wireless traffic. When IPSec is used in a WLAN, each PC that is connected to the network has an IPSec user and it requires directing any transfer to the wired network, in case of existence of a backbone wired network.
Two major architectures and corresponding packet types are supported by IPSec:
Encapsulating Security Payload (ESP) header which provides privacy, authenticity and integrity.
Authentication Header (AH) that provides integrity and authentication only for packets.
The IPSec can operate in two different modes; the transport mode which can secure an existing IP packet and the tunnel mode that can put an existing IP packet inside a new IP packet that is sent to a tunnel end point in the IPSec format, typically between a pair of firewalls/security gateways over an un-trusted network. Figure 3.4 shows both, the operational tunnel mode of the IPSec.
Figure 3.4: IPSec Operational Tunnel Modes
0.2Robust Security Network Protocol
The Robust Security Network (RSN) also known as the 802.1x standard is another security mechanism used to restrict access to unauthorized user to the wireless network by centralizing authentication of the WLAN users and mitigates some of the weaknesses of the WEP. It is essentially a standard for sending authentication messages (keys) between an 802.11 access point and a centralized authentication server. The protocol used in the RSN method is called Extensible Authentication Protocol (EAP).
0.2.1Extensible Authentication Protocol
The Extensible Authentication Protocol (EAP) was generated as an expansion to the Point-to-Point Protocol (PPP) that allows for development of arbitrary network access authentication methods and provides centralized authentication and dynamic key distribution. When EAP is used as security mechanism in a WLAN environment, a user cannot get access to the network with an access point until he\she executes a network logon. After connection, the user executes mutual authentication into the networks by exchanging EAP messages with the access point or the RADIUS server of the WLAN. The Extensible Authentication Protocol requester is used on the user device to obtain the user credentials such as: user ID and password, or digital certificate. In the EAP authentication process, over the wireless link nether key session and the user passwords are transmitted in the clear-text.
EAP provides three significant benefits when it comes to the 802.11 security:
ï‚·ï€ The first benefit provided is the mutual authentication scheme, as described previously. This scheme eliminates completely the types of attacks named "man-in-the-middle (MITM) attacks".
ï‚·ï€ The second one is the centralized management and distribution of encryption keys. Even though the WEP implementation of RC4 had no security flaws; there would still be the administrative difficulty of distributing static keys to all the access points and users in the network. Each time a wireless device got lost, the network would need to be rekeyed to prevent the lost system from gaining unauthorized access.
ï‚·ï€ The third benefit is the ability that the EAP security mechanism has to define centralized policy control.
Several and different types of EAP are available today for user authentication over either wired or wireless network. Current available EAP types include: EAP-TLS, EAP-TTLS, PEAP and EAP MD-5.
0.2.1.1EAP-TLS (Transport Layer Security)
This is one of the most common implementation being used. It is highly secure because it requires asymmetric public and private keys on the user and server side to have the authentication phase going on. It takes a lot of steps to deploy the EAP-TLS within an organization and it is not a simple task.
0.2.1.2EAP-TTLS (Tunnel Transport Layer Security)
This version of EAP developed by Funk Software requires a certificate only on the authentication of the server, which making it easier to deploy and almost as secure as EAPTLS.
This is the least secure version and it does not support dynamic WEP key rotation. It is susceptible to dictionary attacks because it uses user name and password for authentication. Figure 3.6 illustrates the authentication process steps for EAP-MD5.
Figure 3.6: EAP-MD5 Authentication Process
0.2.1.4PEAP (Protected EAP)
PEAP is a similar and more secure version of EAP co-developed by Cisco and Microsoft. It was designed with the purpose to resolve the problem in which, the entire EAP conversation might be sent as clear text and an attacker with access to the media can inject packets into the conversation or capture the EAP messages from a successful authentication for offline analysis. PEAP solves this problem by first creating a secure channel that is both encrypted and integrity-protected with TLS.
0.2.2Wi-Fi Protected Access
WPA is also a security mechanism that uses 802.1x authentication combines with Temporal Key Integrity Protocol (TKIP) encryption to make Wireless LAN more secure against attacks. The TKIP protocol includes key mixing function, a message integrity check feature and a re-keying mechanism that rotates keys faster than they can be cracked by hackers. Many security experts and researchers believe that the combination of TKIP and 802.1x mechanisms should provide adequate security for most WLAN users.
This chapter presents an overview of the security mechanisms that can be used to protect a wireless LAN. The WEP and other basics security means used to protect the WLAN were revealed insecure. The threats and security issues that can affect the WLAN were also given. These threats were divided into active and passive threats. Faced to the WLAN security problems, several countermeasures that need to be taken to protect the wireless network were also presented. At the end of this chapter, other security mechanisms such as EAP, PEAP and WPA (Wi-Fi Protected Access) were also presented.